Ioana Lavric – Columbia Science and Technology Law Reviewhttp://stlr.org
Columbia Law/Tech JournalMon, 11 Sep 2017 19:26:18 +0000en-UShourly1110035422How to Stanch the Heartbleed: Short-Term Fixes and Long-Term Solutionshttp://stlr.org/2014/05/01/how-to-stanch-the-heartbleed-short-term-fixes-and-long-term-solutions/
http://stlr.org/2014/05/01/how-to-stanch-the-heartbleed-short-term-fixes-and-long-term-solutions/#respondThu, 01 May 2014 14:28:01 +0000http://www.stlr.org/?p=2736Continue Reading →]]>Experts disagree over the potential impact of Heartbleed. Many worry about the sheer ubiquity of OpenSSL code – which serves as the encryption platform for many Android devices plus over two-thirds of the Internet – and has been adopted by companies like Amazon, Facebook, Netflix and Yahoo. Government entities like the F.B.I. and the Pentagon also rely upon OpenSSL. Two weeks ago, the Canada Revenue Agency announced that its website was attacked with Heartbleed over a six-hour period, during which the information of approximately nine hundred Canadian taxpayers was stolen.

Using password managers like 1Password plus browser extensions like Chromebleed could help individual users evade Heartbleed and other such bugs for the short term. So would changing passwords on any websites stating that 1) they are no longer vulnerable to Heartbleed and that 2) they have changed the private encryption key they use to protect HTTPS traffic. Widespread adoption of two-factor authentication processes is an adequate “medium term” solution. But preventing Heartbleed-like bugs for the long term cannot be accomplished through easy fixes.

Long-term solutions include abandoning OpenSSL altogether in favor of private-market equivalents, and ensuring that OpenSSL receives a steady influx of funds and manpower. The first option appeals to commentators who believe that OpenSSL contributors, as unpaid volunteers, are simply under-incentivized to check for Heartbleed-like errors – an allegedly grueling and monotonous task, which earns them neither bonuses nor pink slips.

So perhaps open source advocates are right – OpenSSL contributors are under-funded, not under-incentivized. After all, OpenSSL has thus far survived with under $2000 in yearly donations whereas Linux – widely touted as an open source triumph – regularly garners over $500,000 in donations per year. With a fitting budget, OpenSSL could thrive like Linux and prevent other Heartbleed-like outbreaks.

Thankfully, last week, the Linux Foundation announced a three-year, multi-million dollar initiative to help under-funded open source projects, including OpenSSL – which can now afford to conduct security audits, enable outside reviews, and hire more than one full-time developer. The Core Infrastructure Initiative should prove successful precisely because Linux Foundation leaders promise to respect OpenSSL community norms and preserve OpenSSL’s autonomy.

President Obama urged Congress for NSA reform this past Thursday. Under his proposal, phone companies would release their customers’ records to the NSA only after the Foreign Intelligence Surveillance Court (FISC) approves requests for specific phone numbers. Queries would also be limited to “two hops” rather than “three hops” – meaning that the NSA would (still) receive “all the contacts of all the contacts of suspected persons.” President Obama believes these measures would “provide our intelligence and law enforcement professionals the information they need to keep us safe while addressing the legitimate privacy concerns that have been raised” and Edward Snowden has stated that such measures would mark “the beginning of a new effort to reclaim our rights from the NSA and restore the public’s seat at the table of government.”

This past Wednesday, Aereo filed a 100-page brief reiterating that TV broadcasters “have no right to royalties at all for retransmissions of their content within the original broadcast market” and Aereo CEO Chet Kanojia expressed confidence “that the [Supreme] Court will validate and preserve a consumer’s right to access local over-the-air television using an individual antenna, make a personal recording with a DVR, and watch that recording on a device of their choice.” Kanojia denied having a “plan B” in case Aereo loses, whereas CBS CEO Leslie Moonves posited that if Aereo wins, CBS might offer its content over the web rather than over the broadcast airwaves.

This Wednesday, Rep. Bob Goodlatte (R-VA) introduced the Innovation Act of 2013, a bill aimed at disempowering patent trolls. Notable provisions include a heightened pleading requirement for filing patent infringement claims, an assumption that attorneys’ fees will be awarded to prevailing parties, the delay of discovery until after a ruling on claim construction has been made, and transparency of ownership – that is, mandatory disclosure of the assignees of a patent, plus any entities with rights to enforce the patent or with financial interest in the patent, as well as the “ultimate parent entity” that is bringing the patent claim.

For the Hubble Telescope alone, a two-week-long federal government shutdown might waste between $3 and $8 million and could forfeit hundreds of critical astronomical observations. Additionally, none of the 1,437 NIH Clinical Center studies that are now underway – 500 of which involve new drugs and medical devices – will accept new patients during the shutdown. In fact, the shutdown-induced damage to biomedical research, as a whole, seems particularly irreversible. Furthermore, while the NASA Mars rover Curiosity is still running and Mission Control Center operations are ongoing, virtually all NASA employees are forced to stay home.